What is SAML
Security Assertion Markup Language (SAML) 2.0 is one of the most widely used open standards for authentication and authorization between multiple parties. It’s one of the protocols that give users the single sign-on (SSO) experience for applications.
At its core, Security Assertion Markup Language (SAML) 2.0 is a means to exchange authorization and authentication information between services. SAML is frequently used to implement internal corporate single sign-on (SSO) solutions where the user logs into a service that acts as the single source of identity which then grants access to a subset of other internal services.
- Single source of identity.
- Enforce consistent authentication. SAML/SSO can be used to enforce a consistent method of authentication across all internal corporate services, like multifactor authentication and session duration.
How does SAML work with your School?
Once you set up SAML SSO with your existing IDP, your users will be able to Single Sign-On to your school via your Identity Provider (IDP).
For instance, we have set up the following demo school to use Okta as IDP:
When the user clicks on Sign in and they are not already logged in to their Okta account then they will be redirected to Okta in order to be authenticated:
and Okta will redirect them back to the school page upon successful authentication.
If the user is already logged in to their Okta account, then they will be automatically logged in to Learnworlds.
Finally, the SSO mechanism is using the user’s email to identify the user, therefore, to change the user's email address you will need to update the new email both in your school and on your IDP.
How to set up SAML
You may set up SAML practically with any Identity Provider (IDP). IDPs will give you the option to create an authentication application that you will need to provide the necessary information from your school (the Service Provider) and you will also need to gather the necessary information from the IDP’s authentication application.
We have already created detailed guidelines for the following IDPs:
If you have another IDP, then you can refer to your IDP documentation and go to our setup page.
1. Login to your school with your Learnworlds account.
2. Click on Site Builder → Sign in/up and select SAML.
3. You will need to provide the following information to your IDP:
a. Service Provider (SP) URL: it is your school SAML Service Provider (sp) URL that the IDP will use to identify your service.
b. Assertion Consumer Service (ACS) URL: is the “Reply URL” that the IDP will use to inform your school (SP) if the user has been authenticated successfully.
4. Once you set up this information on your IDP and create the authentication application, you will need to update your school’s setup with the necessary information from your IDP:
a. IDP Identifier (Entity ID) this is the given IDP id for the created application.
b. Sign-on URL: this is the URL that the school will call to authenticate the user via the IDP.
c. Single Logout URL: in case you implement a single logout you may provide this URL. When the user logs out from Learnworlds the system will call this URL and the IDP will log out the user from all other Services.
d. Identity Provider Certificate: you need to pass the public certificate to authenticate the call.
5. Save your settings and you are all set. Your users may now Single Sign-On by using your favorite IDP.
- The changes in the Sign in/up page regarding SSO will have to be made by the LearnWorlds admin.
- Only the Sign in link should be used at your school since Sign Up and password reset will be performed by the IDP.
- If you wish to use our built-in Affiliate Management program, you should consider not using the SSO solution, since it will not be feasible to use this feature and track sales.
- If you're using SAML as an authentication method, it's mandatory to change the Site Navigation settings in the Payment Flow section for Logged-out users, as they will need to sign up/log in before proceeding to the payment page.
- If you select SAML (external IDP) the password update/reset functionality will not be available (applies for the LearnWorlds admin as well).
- Also, you need to make sure that in all Payment Sections the Sign in/up form option is set to hide since the user will not be able to sign in/up via the Learnworlds system.